use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.
the class TestRangerServiceDefService method setup.
public void setup() {
RangerSecurityContext context = new RangerSecurityContext();
context.setUserSession(new UserSessionBase());
RangerContextHolder.setSecurityContext(context);
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
currentUserSession.setUserAdmin(true);
}
use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.
the class TestPublicAPIs method setup.
@Before
public void setup() throws Exception {
RangerSecurityContext context = new RangerSecurityContext();
context.setUserSession(new UserSessionBase());
RangerContextHolder.setSecurityContext(context);
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
currentUserSession.setUserAdmin(true);
}
use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.
the class RangerSSOAuthenticationFilter method doFilter.
/*
* doFilter of RangerSSOAuthenticationFilter is the first in the filter list so in this it check for the request
* if the request is from browser, doesn't contain local login and sso is enabled then it process the request against knox sso
* else if it's ssoenable and the request is with local login string then it show's the appropriate msg
* else if ssoenable is false then it contiunes with further filters as it was before sso
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
String xForwardedURL = constructForwardableURL(httpRequest);
if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()) {
synchronized (httpRequest.getServletContext()) {
if (httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && "locallogin".equals(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString())) {
httpRequest.getSession().setAttribute("locallogin", "true");
httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
}
}
}
RangerSecurityContext context = RangerContextHolder.getSecurityContext();
UserSessionBase session = context != null ? context.getUserSession() : null;
boolean ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
String userAgent = httpRequest.getHeader("User-Agent");
if (httpRequest.getSession() != null) {
if (httpRequest.getSession().getAttribute("locallogin") != null) {
servletRequest.setAttribute("ssoEnabled", false);
filterChain.doFilter(servletRequest, servletResponse);
return;
}
}
// If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL)) {
// Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script
if (jwtProperties != null && !isAuthenticated()) {
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
String serializedJWT = getJWTFromCookie(httpRequest);
// if we get the hadoop-jwt token from the cookies then will process it further
if (serializedJWT != null) {
SignedJWT jwtToken = null;
try {
jwtToken = SignedJWT.parse(serializedJWT);
boolean valid = validateToken(jwtToken);
// if the public key provide is correct and also token is not expired the process token
if (valid) {
String userName = jwtToken.getJWTClaimsSet().getSubject();
LOG.info("SSO login user : " + userName);
String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
// if we get the userName from the token then log into ranger using the same user
if (userName != null && !userName.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
final UserDetails principal = new User(userName, "", grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
authenticationProvider.setSsoEnabled(ssoEnabled);
Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
authentication = getGrantedAuthority(authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(servletRequest, httpServletResponse);
} else // if the token is not valid then redirect to knox sso
{
if (isWebUserAgent(userAgent)) {
String ssourl = constructLoginURL(httpRequest, xForwardedURL);
if (LOG.isDebugEnabled()) {
LOG.debug("SSO URL = " + ssourl);
}
httpServletResponse.sendRedirect(ssourl);
} else {
filterChain.doFilter(servletRequest, httpServletResponse);
}
}
} catch (ParseException e) {
LOG.warn("Unable to parse the JWT token", e);
}
} else // if the jwt token is not available then redirect it to knox sso
{
if (isWebUserAgent(userAgent)) {
String ssourl = constructLoginURL(httpRequest, xForwardedURL);
if (LOG.isDebugEnabled()) {
LOG.debug("SSO URL = " + ssourl);
}
httpServletResponse.sendRedirect(ssourl);
} else {
filterChain.doFilter(servletRequest, httpServletResponse);
}
}
} else // if property is not loaded or is already authenticated then proceed further with next filter
{
filterChain.doFilter(servletRequest, servletResponse);
}
} else if (ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent) && isAuthenticated()) {
// If already there's an active session with sso and user want's to switch to local login(i.e without sso) then it won't be navigated to local login
// In this scenario the user as to use separate browser
String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL + "/", "");
url = url.replace(LOCAL_LOGIN_URL, "");
LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser");
((HttpServletResponse) servletResponse).sendRedirect(url);
} else // if sso is not enable or the request is not from browser then proceed further with next filter
{
filterChain.doFilter(servletRequest, servletResponse);
}
}
use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.
the class TestRangerBizUtil method setup.
@Before
public void setup() {
RangerSecurityContext context = new RangerSecurityContext();
context.setUserSession(new UserSessionBase());
RangerContextHolder.setSecurityContext(context);
}
use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.
the class TestServiceDBStore method setup.
public void setup() {
RangerSecurityContext context = new RangerSecurityContext();
context.setUserSession(new UserSessionBase());
RangerContextHolder.setSecurityContext(context);
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
currentUserSession.setUserAdmin(true);
}
Aggregations